Restricting Access

Restricting IMAP/POP3 access

Below examples show how you can give POP3 access to everyone, but IMAP access only for some people. The exact solution you want depends on what passdb you use. The solutions can also be modified for other types of IMAP/POP3/SMTP/etc. access checks.

PAM

Set PAM service name to %s, ie.:

passdb {
driver = pam
args = %s
}

That way PAM uses /etc/pam.d/imap for IMAP, and /etc/pam.d/pop3 for POP3.

passwd-file

This makes Dovecot look for /etc/dovecot/deny.imap and /etc/dovecot/deny.pop3 files. If the user exists in it, the access is denied. The files don't need to have anything else than one username per line.

Note that this deny passdb must be before other passdbs. It also means that it can be used with any other passdb, not just with passwd-file passdbs.

Restricting IP Access

It's possible to allow a user to authenticate only from a specific IP or network. This is especially useful for master users. This can be done by returning allow_nets extra field in passdb.